Helm chart

This reference is generated from the Tetragon Helm chart values.

The Tetragon Helm chart source is available under github.io/cilium/tetragon/install/kubernetes/tetragon and is distributed from the Cilium helm charts repository helm.cilium.io.

To deploy Tetragon using this Helm chart you can run the following commands:

helm repo add cilium https://helm.cilium.io
helm repo update
helm install tetragon cilium/tetragon -n kube-system

To use the values available, with helm install or helm upgrade, use --set key=value.

Values

KeyTypeDefaultDescription
affinityobject{}
crds.installMethodstring"operator"Method for installing CRDs. Supported values are: “operator”, “helm” and “none”. The “operator” method allows for fine-grained control over which CRDs are installed and by default doesn’t perform CRD downgrades. These can be configured in tetragonOperator section. The “helm” method always installs all CRDs for the chart version.
daemonSetAnnotationsobject{}
daemonSetLabelsOverrideobject{}
dnsPolicystring"Default"DNS policy for Tetragon pods. https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
enabledbooltrue
exportobject{"filenames":["tetragon.log"],"mode":"stdout","resources":{},"securityContext":{},"stdout":{"argsOverride":[],"commandOverride":[],"enabledArgs":true,"enabledCommand":true,"extraEnv":[],"extraVolumeMounts":[],"image":{"override":null,"repository":"quay.io/cilium/hubble-export-stdout","tag":"v1.0.4"}}}Tetragon events export settings
exportDirectorystring"/var/run/cilium/tetragon"Directory to put Tetragon JSON export files.
extraConfigmapMountslist[]
extraHostPathMountslist[]
extraVolumeslist[]
hostNetworkbooltrueConfigures whether Tetragon pods run on the host network. IMPORTANT: Tetragon must be on the host network for the process visibility to function properly.
imagePullPolicystring"IfNotPresent"
imagePullSecretslist[]
nodeSelectorobject{}
podAnnotationsobject{}
podLabelsobject{}
podLabelsOverrideobject{}
podSecurityContextobject{}
priorityClassNamestring""
rthooksobject{"annotations":{},"enabled":false,"extraHookArgs":{},"extraLabels":{},"extraVolumeMounts":[],"failAllowNamespaces":"","image":{"override":null,"repository":"quay.io/cilium/tetragon-rthooks","tag":"v0.4"},"installDir":"/opt/tetragon","interface":"","nriHook":{"nriSocket":"/var/run/nri/nri.sock"},"ociHooks":{"hooksPath":"/usr/share/containers/oci/hooks.d"},"podAnnotations":{},"podSecurityContext":{},"priorityClassName":"","resources":{},"serviceAccount":{"name":""}}Method for installing Tetagon rthooks (tetragon-rthooks) daemonset The tetragon-rthooks daemonset is responsible for installing run-time hooks on the host. See: https://tetragon.io/docs/concepts/runtime-hooks
rthooks.annotationsobject{}Annotations for the Tetragon rthooks daemonset
rthooks.enabledboolfalseEnable the Tetragon rthooks daemonset
rthooks.extraHookArgsobject{}extra args to pass to tetragon-oci-hook
rthooks.extraLabelsobject{}Extra labels for the Tetrargon rthooks daemonset
rthooks.extraVolumeMountslist[]Extra volume mounts to add to the oci-hook-setup init container
rthooks.failAllowNamespacesstring""Comma-separated list of namespaces to allow Pod creation for, in case tetragon-oci-hook fails to reach Tetragon agent. The namespace Tetragon is deployed in is always added as an exception and must not be added again.
rthooks.imageobject{"override":null,"repository":"quay.io/cilium/tetragon-rthooks","tag":"v0.4"}image for the Tetragon rthooks pod
rthooks.installDirstring"/opt/tetragon"installDir is the host location where the tetragon-oci-hook binary will be installed
rthooks.interfacestring""Method to use for installing rthooks. Values: “oci-hooks”: Add an apppriate file to “/usr/share/containers/oci/hooks.d”. Use this with CRI-O. See https://github.com/containers/common/blob/main/pkg/hooks/docs/oci-hooks.5.md for more details. Specific configuration for this interface can be found under “OciHooks”. “nri-hook”: Install the hook via NRI. Use this with containerd. Requires NRI being enabled. see: https://github.com/containerd/containerd/blob/main/docs/NRI.md.
rthooks.nriHookobject{"nriSocket":"/var/run/nri/nri.sock"}configuration for the “nri-hook” interface
rthooks.nriHook.nriSocketstring"/var/run/nri/nri.sock"path to NRI socket
rthooks.ociHooksobject{"hooksPath":"/usr/share/containers/oci/hooks.d"}configuration for “oci-hooks” interface
rthooks.ociHooks.hooksPathstring"/usr/share/containers/oci/hooks.d"directory to install .json file for running the hook
rthooks.podAnnotationsobject{}Pod annotations for the Tetrargon rthooks pod
rthooks.podSecurityContextobject{}security context for the Tetrargon rthooks pod
rthooks.priorityClassNamestring""priorityClassName for the Tetrargon rthooks pod
rthooks.resourcesobject{}resources for the the oci-hook-setup init container
rthooks.serviceAccountobject{"name":""}rthooks service account.
selectorLabelsOverrideobject{}
serviceAccount.annotationsobject{}
serviceAccount.createbooltrue
serviceAccount.namestring""
serviceLabelsOverrideobject{}
tetragon.argsOverridelist[]Override the arguments. For advanced users only.
tetragon.btfstring""
tetragon.clusterNamestring""Name of the cluster where Tetragon is installed. Tetragon uses this value to set the cluster_name field in GetEventsResponse messages.
tetragon.commandOverridelist[]Override the command. For advanced users only.
tetragon.debugboolfalseIf you want to run Tetragon in debug mode change this value to true
tetragon.enableK8sAPIbooltrueAccess Kubernetes API to associate Tetragon events with Kubernetes pods.
tetragon.enableKeepSensorsOnExitboolfalsePersistent enforcement to allow the enforcement policy to continue running even when its Tetragon process is gone.
tetragon.enableMsgHandlingLatencyboolfalseEnable latency monitoring in message handling
tetragon.enablePolicyFilterbooltrueEnable policy filter. This is required for K8s namespace and pod-label filtering.
tetragon.enablePolicyFilterDebugboolfalseEnable policy filter debug messages.
tetragon.enableProcessCredboolfalseEnable Capabilities visibility in exec and kprobe events.
tetragon.enableProcessNsboolfalseEnable Namespaces visibility in exec and kprobe events.
tetragon.enabledbooltrue
tetragon.eventCacheRetriesint15Configure the number of retries in tetragon’s event cache.
tetragon.eventCacheRetryDelayint2Configure the delay (in seconds) between retires in tetragon’s event cache.
tetragon.exportAllowListstring"{\"event_set\":[\"PROCESS_EXEC\", \"PROCESS_EXIT\", \"PROCESS_KPROBE\", \"PROCESS_UPROBE\", \"PROCESS_TRACEPOINT\", \"PROCESS_LSM\"]}"Allowlist for JSON export. For example, to export only process_connect events from the default namespace: exportAllowList:
tetragon.exportDenyListstring"{\"health_check\":true}\n{\"namespace\":[\"\", \"cilium\", \"kube-system\"]}"Denylist for JSON export. For example, to exclude exec events that look similar to Kubernetes health checks and all the events from kube-system namespace and the host: exportDenyList:
tetragon.exportFileCompressboolfalseCompress rotated JSON export files.
tetragon.exportFileMaxBackupsint5Number of rotated files to retain.
tetragon.exportFileMaxSizeMBint10Size in megabytes at which to rotate JSON export files.
tetragon.exportFilePermstring"600"JSON export file permissions as a string. Typically it’s either “600” (to restrict access to owner) or “640”/“644” (to allow read access by logs collector or another agent).
tetragon.exportFilenamestring"tetragon.log"JSON export filename. Set it to an empty string to disable JSON export altogether.
tetragon.exportRateLimitint-1Rate-limit event export (events per minute), Set to -1 to export all events.
tetragon.extraArgsobject{}
tetragon.extraEnvlist[]
tetragon.extraVolumeMountslist[]
tetragon.fieldFiltersstring""Filters to include or exclude fields from Tetragon events. Without any filters, all fields are included by default. The presence of at least one inclusion filter implies default-exclude (i.e. any fields that don’t match an inclusion filter will be excluded). Field paths are expressed using dot notation like “a.b.c” and multiple field paths can be separated by commas like “a.b.c,d,e.f”. An optional “event_set” may be specified to apply the field filter to a specific set of events. For example, to exclude the “parent” field from all events and include the “process” field in PROCESS_KPROBE events while excluding all others: fieldFilters:
tetragon.gops.addressstring"localhost"The address at which to expose gops.
tetragon.gops.enabledbooltrueWhether to enable exposing gops server.
tetragon.gops.portint8118The port at which to expose gops.
tetragon.grpc.addressstring"localhost:54321"The address at which to expose gRPC. Examples: localhost:54321, unix:///var/run/cilum/tetragon/tetragon.sock
tetragon.grpc.enabledbooltrueWhether to enable exposing Tetragon gRPC.
tetragon.healthGrpc.enabledbooltrueWhether to enable health gRPC server.
tetragon.healthGrpc.intervalint10The interval at which to check the health of the agent.
tetragon.healthGrpc.portint6789The port at which to expose health gRPC.
tetragon.hostProcPathstring"/proc"Location of the host proc filesystem in the runtime environment. If the runtime runs in the host, the path is /proc. Exceptions to this are environments like kind, where the runtime itself does not run on the host.
tetragon.image.overridestringnil
tetragon.image.repositorystring"quay.io/cilium/tetragon"
tetragon.image.tagstring"v1.2.0"
tetragon.livenessProbeobject{}Overrides the default livenessProbe for the tetragon container.
tetragon.ociHookSetupobject{"enabled":false,"extraVolumeMounts":[],"failAllowNamespaces":"","installDir":"/opt/tetragon","interface":"oci-hooks","resources":{},"securityContext":{"privileged":true}}Configure tetragon’s init container for setting up tetragon-oci-hook on the host NOTE: This is deprecated, please use .rthooks
tetragon.ociHookSetup.enabledboolfalseenable init container to setup tetragon-oci-hook
tetragon.ociHookSetup.extraVolumeMountslist[]Extra volume mounts to add to the oci-hook-setup init container
tetragon.ociHookSetup.failAllowNamespacesstring""Comma-separated list of namespaces to allow Pod creation for, in case tetragon-oci-hook fails to reach Tetragon agent. The namespace Tetragon is deployed in is always added as an exception and must not be added again.
tetragon.ociHookSetup.interfacestring"oci-hooks"interface specifices how the hook is configured. There is only one avaialble value for now: “oci-hooks” (https://github.com/containers/common/blob/main/pkg/hooks/docs/oci-hooks.5.md).
tetragon.ociHookSetup.resourcesobject{}resources for the the oci-hook-setup init container
tetragon.ociHookSetup.securityContextobject{"privileged":true}Security context for oci-hook-setup init container
tetragon.pprof.addressstring"localhost"The address at which to expose pprof.
tetragon.pprof.enabledboolfalseWhether to enable exposing pprof server.
tetragon.pprof.portint6060The port at which to expose pprof.
tetragon.processCacheSizeint65536Tetragon puts processes in an LRU cache. The cache is used to find ancestors for subsequently exec’ed processes.
tetragon.prometheus.addressstring""The address at which to expose metrics. Set it to "" to expose on all available interfaces.
tetragon.prometheus.enabledbooltrueWhether to enable exposing Tetragon metrics.
tetragon.prometheus.metricsLabelFilterstring"namespace,workload,pod,binary"Comma-separated list of enabled metrics labels. The configurable labels are: namespace, workload, pod, binary. Unkown labels will be ignored. Removing some labels from the list might help reduce the metrics cardinality if needed.
tetragon.prometheus.portint2112The port at which to expose metrics.
tetragon.prometheus.serviceMonitor.enabledboolfalseWhether to create a ‘ServiceMonitor’ resource targeting the tetragon pods.
tetragon.prometheus.serviceMonitor.extraLabelsobject{}Extra labels to be added on the Tetragon ServiceMonitor.
tetragon.prometheus.serviceMonitor.labelsOverrideobject{}The set of labels to place on the ‘ServiceMonitor’ resource.
tetragon.prometheus.serviceMonitor.scrapeIntervalstring"10s"Interval at which metrics should be scraped. If not specified, Prometheus’ global scrape interval is used.
tetragon.redactionFiltersstring""Filters to redact secrets from the args fields in Tetragon events. To perform redactions, redaction filters define RE2 regular expressions in the redact field. Any capture groups in these RE2 regular expressions are redacted and replaced with “*****”. For more control, you can select which binary or binaries should have their arguments redacted with the binary_regex field. NOTE: This feature uses RE2 as its regular expression library. Make sure that you follow RE2 regular expression guidelines as you may observe unexpected results otherwise. More information on RE2 syntax can be found here. NOTE: When writing regular expressions in JSON, it is important to escape backslash characters. For instance \Wpasswd\W? would be written as {"redact": "\\Wpasswd\\W?"}. As a concrete example, the following will redact all passwords passed to processes with the “–password” argument: {“redact”: ["–password(?:\s+
tetragon.resourcesobject{}
tetragon.securityContext.privilegedbooltrue
tetragonOperator.affinityobject{}
tetragonOperator.annotationsobject{}Annotations for the Tetragon Operator Deployment.
tetragonOperator.enabledbooltrueEnables the Tetragon Operator.
tetragonOperator.extraLabelsobject{}Extra labels to be added on the Tetragon Operator Deployment.
tetragonOperator.extraPodLabelsobject{}Extra labels to be added on the Tetragon Operator Deployment Pods.
tetragonOperator.extraVolumeMountslist[]
tetragonOperator.extraVolumeslist[]Extra volumes for the Tetragon Operator Deployment.
tetragonOperator.forceUpdateCRDsboolfalse
tetragonOperator.imageobject{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","tag":"v1.2.0"}tetragon-operator image.
tetragonOperator.nodeSelectorobject{}Steer the Tetragon Operator Deployment Pod placement via nodeSelector, tolerations and affinity rules.
tetragonOperator.podAnnotationsobject{}Annotations for the Tetragon Operator Deployment Pods.
tetragonOperator.podInfo.enabledboolfalseEnables the PodInfo CRD and the controller that reconciles PodInfo custom resources.
tetragonOperator.podSecurityContextobject{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}securityContext for the Tetragon Operator Deployment Pod container.
tetragonOperator.priorityClassNamestring""priorityClassName for the Tetragon Operator Deployment Pods.
tetragonOperator.prometheus.addressstring""The address at which to expose Tetragon Operator metrics. Set it to "" to expose on all available interfaces.
tetragonOperator.prometheus.enabledbooltrueEnables the Tetragon Operator metrics.
tetragonOperator.prometheus.portint2113The port at which to expose metrics.
tetragonOperator.prometheus.serviceMonitor.enabledboolfalseWhether to create a ‘ServiceMonitor’ resource targeting the tetragonOperator pods.
tetragonOperator.prometheus.serviceMonitor.extraLabelsobject{}Extra labels to be added on the Tetragon Operator ServiceMonitor.
tetragonOperator.prometheus.serviceMonitor.labelsOverrideobject{}The set of labels to place on the ‘ServiceMonitor’ resource.
tetragonOperator.prometheus.serviceMonitor.scrapeIntervalstring"10s"Interval at which metrics should be scraped. If not specified, Prometheus’ global scrape interval is used.
tetragonOperator.resourcesobject{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}}resources for the Tetragon Operator Deployment Pod container.
tetragonOperator.securityContextobject{}securityContext for the Tetragon Operator Deployment Pods.
tetragonOperator.serviceAccountobject{"annotations":{},"create":true,"name":""}tetragon-operator service account.
tetragonOperator.strategyobject{}resources for the Tetragon Operator Deployment update strategy
tetragonOperator.tolerations[0].operatorstring"Exists"
tetragonOperator.tracingPolicy.enabledbooltrueEnables the TracingPolicy and TracingPolicyNamespaced CRD creation.
tolerations[0].operatorstring"Exists"
updateStrategyobject{}
Last modified October 30, 2024: update rthooks image to v0.4 (6f2c2ccac)